Create certificate for a server by CA. Creation of server CA-signed server certificate is done by signing its certificate request.

Note that CA certificate in this example is self-signed because it is root one. Root CA certificates are always self-signed.

RHEL6/Fedora has the following default configuration:

File /etc/pki/tls/openssl.cnf is default for OpenSSL configuration which also specifies location of all other files.

Directory /etc/pki/CA is default for Certificate Authority files.

As soon as the private key and public CA-signed certificate files are generated, their location is generally service-specific (depends on service configuration).

OpenSSL has its own framework for installation of CA certificates with /etc/pki/tls/certs/ directory as a default location. This default location is referenced by, for example, openssl verify command. However, other services may require this CA certificate to be copied in server-specific (configurable) location.

Setting up Certificate Authority (CA)

Install OpenSSL:

yum install openssl

Clean up any previously created files (when starting everything all over again):

The certificate request file is not used for anything else except decoupling two operations: (A) filling in server information by requester and (B) signing it by CA. Therefore, ,code>/etc/pki/tls/server.example.com.csr</code> file can be removed on both server and CA machines.

Install CA certificate on server machine

Login to server machine:

ssh server.example.com

Download CA certificate from CA machine:

scp server.example.com:/etc/pki/CA/cacert.pem /etc/pki/tls/certs

CA certificate file should only contain one certificate. To test it, use this command:

cat /etc/pki/tls/certs/cacert.pem | grep 'BEGIN.*CERTIFICATE' | wc -l

OpenSSL looks up certificates by their hash. Generate hash for the CA certificate.

openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem

To reduce typing assign result to shell variable:

HASH=$( openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem )

The symlink should be placed in /etc/pki/tls/certs/ directory with the following format: